Overview

overview

10

Static

static

8897db8765...80.exe

windows7_x64

10

8897db8765...80.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

  • Size

    56KB

  • Sample

    200630-a2p11hd5yj

  • MD5

    ecb00e9a61f99a7d4c90723294986bbc

  • SHA1

    be59c867da75e2a66b8c2519e950254f817cd4ad

  • SHA256

    8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

  • SHA512

    9dee79827d865de41a63962b419eed7e1f9610ff27f00f8b7b2b9f51e905d5db907d310da590d8f1a11ac88e549373edf39bffdb44d1b205728f1b5e0a43aa5e

Score
10/10
wastedlockerdiscoveryexploitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DisconnectWait.lock.txt

Family

wastedlocker

Ransom Note
ENERGYSOLUTIONS YOUR NETWORK IS ENCRYPTED NOW USE [email protected] | [email protected] TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]OgLI0or/oNGGRSOB+9aWpC/1e5r9W6INar2TorUlA6ucqZD4EXqMUekxiI/JHRan hHz7Jk2Gc1AIyQtqyL/a3SWYghzWQx8GeRZAmEI0CV7k2wTnRM+y5RiDEPNdze6k uT+zfVp885mJijIbV/Vq6p52FFR6rt4gKmRqbHcUC1T5xs/zSCyMOHBKc8sIuJd4 Rm7jPEfy34XkoDDle9ejzroI2AZ5auuztvvHDHIUD8uMheDU441S79Q+E+5Xs6S5 ZFQHEw0Ha2EuqMGHHGhYoal43/CYqyn9ytfl3Ru9HMMMarM2pUwBVjktMy3H0KOU f1i3VSgAJAEUGmlUq9pafiv4yofLsMiJzYo31WUrv56ozk0uAGamPC8Gc2IRbsa1 UA/p3ZiyIVTpxHepsMnuGgOVa0NZ+oVMH4ZGFj+kziqWYjiOVnY11YPNOxq2BjN6 z+AuKXF98dSvlGGckmSbt5DmaWt8QtCdRzCiTlWxgnqf+V7uI5W4X/HWFa5tbTj4 DNYKmfSMbq46QsiKkRWfsSFDEYUNCa8qWzRE0D+OP7pjgFK9G0CzqWr+cXuDlGIv Eia7/VFeNRV4JV1yrdPjLKuy9kGahOJNbGbL4bGa1wXnhtUobvcqp+HTl4/I0Sz9 SGEoh8cCtwECFHH63XLDb3vJU5+W1zwUlXuTTfAmVlw=[end_key] KEEP IT

Extracted

Path

C:\Users\Admin\Desktop\MoveDeny.mpeg3.eswasted_info.txt

Family

wastedlocker

Ransom Note
ENERGYSOLUTIONS YOUR NETWORK IS ENCRYPTED NOW USE [email protected] | [email protected] TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]i34DEHUNZz4v4dXnXaZzEMw8LWWGz5Hx8p8OgNO/t+4E59XzfEYiE9T3WkJnk3tM v29T2bl/tukZPXI9NWFM1T6/5LxMLH2LAnJoEbba/CwLy4lPWfb4B/ilz8dEWVJD hjk5SbSrtzqzFDqFKzEmu5p4CYdt5qMMaTz1M9fHxWTWFKeD4nS1poA9V7DtkUH3 B/1U7pupwNKe9xFoQcHzehtk/4cFioBdFH9lRwvm9IlRzPbJ6HiWkkWPB9fJpi+r H0aBoejQEYDzk7YDeNs+Cm8aqTaZ/xdi5pkPKGsvOefqjKHwKlNbugKVS0kDz+Y4 48gBQkQWt+YeP/MxvY1/En9x/lj2M5aGK9pZ/YT0A3KR9FQpADyeqnLbnpdlYQ00 mZnBG9rkyY/+hogd4HJNVNu/sL9kuqSOzQgtG39akpZk4RGPF/gGGat8ExUbBNrQ AtDMysnLaAIGkM9eo1yXuEWXUgUnR3ITfQehV1A7jkQ0mQ1Wy25fbebt9ejJGNUj j3Rk79xhp7Zcc8xHBLnxBU/jdijMdsazdxDXV/Nw+WbNCQeKT/vThiJKeu+Gf1co HDH13G3dlBDfLVmBty2AT0i19AwGtQRywBm8Wxjzg+/JJSAm3GL/ct0CdoDC7qe6 2Tdv+Tjkdb1KQ9bvuJGpfmb2UGif0ZEdHR5gofzpYt/=[end_key] KEEP IT

Targets

    • Target

      8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

    • Size

      56KB

    • MD5

      ecb00e9a61f99a7d4c90723294986bbc

    • SHA1

      be59c867da75e2a66b8c2519e950254f817cd4ad

    • SHA256

      8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

    • SHA512

      9dee79827d865de41a63962b419eed7e1f9610ff27f00f8b7b2b9f51e905d5db907d310da590d8f1a11ac88e549373edf39bffdb44d1b205728f1b5e0a43aa5e

    Score
    10/10
    ransomwareexploitwastedlockerdiscoverypersistence

    • WastedLocker

      Ransomware family seen in the wild since May 2020.

      ransomwarewastedlocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks